26 August 2009

'Foreign Policy' Should Stick to its Home Turf

Foreign Policy has published some good features; this isn't one of them:

Although the newest oil rigs, which cost upward of $1 billion apiece, might be loaded with cutting-edge robotics technology, the software that controls a rig's basic functions is anything but. Most rely on the decades-old supervisory control and data acquisition (SCADA) software, written in an era when the "open source" tag was more important than security, said Jeff Vail, a former counterterrorism and intelligence analyst with the U.S. Interior Department. "It's underappreciated how vulnerable some of these systems are," he said. "It is possible, if you really understood them, to cause catastrophic damage by causing safety systems to fail."

Sorry, old chap, but "open source" and "security" are orthogonal, independent axes. And this, from the same article:

"The worst-case scenario, of course, is that a hacker will break in and take over control of the whole platform," Jaatun said. That hasn't happened yet, but computer viruses have caused personnel injuries and production losses on North Sea platforms, he noted.

suggests we're talking about *Windows* systems, not "open source". So, pretty much 100% wrong. (Via @cdaffara.)

Follow me @glynmoody on Twitter or identi.ca.


Jeff Vail said...

I'll agree that, in one sense, "open source" and "security" are orthogonal, but the relationship isn't always such. In this specific quote, I was asked about electrical transmission/generation interface, and the tendency (at least in the US) has historically been to sacrifice security (e.g. unpublished protocols) in favor of ease of interoperability between multiple providers/municipalities/companies/etc. (didn't actually say "open source" but rather "published protocols" if I remember correctly).

glyn moody said...

@Jeff: thanks for the comment.

It looks to me that FP has interpreted your "published protocols" as "open source" - which is what I was really complaining about: the fact that people are bandying around the term open source without really understanding it. It's a pity they didn't run the text past you so that you could have caught this change.

Anonymous said...

Um, every single thing I know about security in electronics says that published protocols (with cryptographic handshakes and unpublished *code keys*) are much much *more* secure than unpublished protocols.

Thinking otherwise is the "security through obscurity" error.

glyn moody said...